Security hardened, pah! Expert doubts Kaymera's mighty Google's Pixel

Kaymera: building on shoulders of a giant, claim

The arrival of a security hardened version of Google’s supposed "iPhone killer" Pixel phone from Kaymera has received a sceptical reception from one expert.

Kaymera Secured Pixel is outfitted with Kaymera’s own hardened version of the Android operating system and its security architecture.

This architecture is made up of four layers: encryption, protection from malicious downloads, a prevention layer that monitors for unauthorised attempts to access OS functions (such as microphone, camera or GPS), and a detection and enforcement layer that monitors, detects and blocks malicious code or misbehaving apps. Independent mobile security experts have questioned whether the technology offers much by way of benefits over that offered by native Pixel smartphones.

But professor David Rogers, chief executive of Copper Horse and a Lecturer in mobile systems security at the University of Oxford, questioned what exactly is new. “Many of the proposed functions are already in-built into Pixel (examples below), so what are the extra benefits Kaymera offers?”

For example, Pixel has full device encryption and file-based encryption, backed by TrustZone. Plus, as it's Google’s own phone, Pixel is first in line for patching - an important security defence in itself. “Pixel has many other functions and capabilities built over many years including Position Independent Execution (PIE), Address Space Randomisation Layout (ASLR), SE Linux and so on,” Rogers added.

Kaymera responded that its kit offered benefits on this front by enforcing security controls built into Pixel but not actually enforced.

Oded Zehavi, Kaymera chief operating offficer, told El Reg: “In places where Google has good enough security, we leverage the existing functionality (in many of the examples given here, the functionality is not actually enforced. In these cases we enforce and prevent disabling of the security functionality by negligent users or malicious hackers).”

Third-parties building on Google security do not have a good track record in this space (including Blackphone) in terms of getting their own code secure and tested properly, including updates. Rogers is unconvinced that Kaymera will do any better with hardening Pixel than others have done with hardening Android.

Zehavi responded that Kaymera devices have been tested to the most rigorous standards by governments around the world. “As a philosophy we always have more than one security layer against any attack vector hence we don’t trust any single security measure including Google security measures. For example, our prevention layer feeds with fake resources any payload that may overcome the OS hardening and get loaded onto the device,” Zehavi said.

Rogers remains unconvinced about the security proposition of the Kaymera Secured Pixel, especially in the absence of NCSC certification or US security certification. It’s more like “some kind of Chimera rather than a Kaymera,” he cuttingly concluded.

“If Kaymera really want to protect against comms interception, low-level malware attacks and so on, they would have to build some kind of firewall and introspection capability,” Rogers said. “To do that they would need access inside the Radio Interface Layer and also to processes and app data.”

“Google’s security architecture does not allow this unless you ‘roll your own’ in a big way, creating your own device and modifying the AOSP [Android Open Source Project] code to deliver a bespoke device,” he added.

Creating a bespoke device risks undoing Google’s security controls, Rogers warned. “Application sandboxing and isolation [are] there for a reason, including enforcing the Principle of Least Privilege,” he said.

The Israeli manufacturer said it had been careful to add extra security without breaking Google’s existing controls. Zehavi explained: “Even though we embed our code deep into the AOSP code in layers that are beyond what regular applications can reach, we do not break any existing Google security measures including the sandboxing etc. Instead, we add extra measures across the board that, as mentioned, leverage the existing mechanism but bring the device to a total different level of security which cannot be achieved via the application layer alone.”

Rogers responded: “They admit to using AOSP which I guess means they self-sign the build of the device themselves. That then comes down to a question of trust in who is digitally signing the product (that gives that signer access to absolutely everything, the radio path, the private data, the lot).“

The Kaymera Secured Pixel is aimed at business and government customers prepared to pay for extra to avoid the security weaknesses associated with the ‘off the shelf’ Android operating system. The device retains the original Google device’s purpose-built hardware, features and ergonomics. Users can, for example, still use the fingerprint scanner. Kaymera devices are centrally managed via the company’s management dashboard, enabling easy enforcement of security policies on the smartphone.

Kaymera’s secured Pixel phone is available immediately.

Kaymera was started in late 2013 by the founders of NSO, the surveillance tech provider whose legitimate iPhone spyware malware was used to target the phone of UAE human rights activist Ahmed Mansoor in August 2016. The spyware caused Apple to rush out emergency software patches, to plug vulnerabiliies in its iOS mobile operating system.

The Israeli firm is open about its roots. If NSO is a ‘poacher’, selling surveillance tools to governments, then Kaymera is the gamekeeper, its pitch runs. “I’m not sure I can buy in to the poacher turned gamekeeper thing here and I would rather trust Google in this case,” Rogers concluded. ®